cancel
Showing results for 
Search instead for 
Did you mean: 

Import LetsEncrypt Certificate over the REST API (sslclientcontextwithoutca)

Hello,

 

i'm trying to upload a new Certificate over the API. This is my current way:

1. Grab the Cert with certbot

2. openssl rsa -in "/etc/letsencrypt/live/<domain>/privkey.pem" -out "/etc/letsencrypt/live/$domain/privkey.pem-rsa"

3. Login to Proxy and GET https://<proxy>:4712/Konfigurator/REST/setting?type=com.scur.engine.sslclientcontextwithoutca, look for the setting I want to change

4. GET https://proxy:4712/Konfigurator/REST/setting/com.scur.engine.sslclientcontextwithoutca.<id>

 

<entry>
    <id>com.scur.engine.sslclientcontextwithoutca.<ID></id>
    <title><domain>-CA</title>
    <type>com.scur.engine.sslclientcontextwithoutca</type>
    <link href="https://<proxy>:4712/Konfigurator/REST/setting/com.scur.engine.sslclientcontextwithoutca.<ID>" rel="self"/>
    <content>
        <configuration version="1.0.0.2" mwg-version="7.7.2.9.1-25491" id="com.scur.engine.sslclientcontextwithoutca.<ID>" defaultRights="2" templateId="com.scur.template.engine.sslclientcontextwithoutca" name="<domain>-CA" targetId="com.scur.engine.sslclientcontextwithoutca">
            <acElements/>
            <configurationProperties>
                <configurationProperty key="ServerCertUsageList" type="com.scur.type.inlineList" listType="com.scur.type.complex.ssl.servercertmapping" encrypted="false" value="<inlinexmlstuff>"/>
                <configurationProperty key="SSLOnlyWithClient" type="com.scur.type.boolean" encrypted="false" value="true"/>
                <configurationProperty key="TLS12" type="com.scur.type.boolean" encrypted="false" value="true"/>
                <configurationProperty key="TLS11" type="com.scur.type.boolean" encrypted="false" value="true"/>
                <configurationProperty key="TLS10" type="com.scur.type.boolean" encrypted="false" value="true"/>
                <configurationProperty key="SSL30" type="com.scur.type.boolean" encrypted="false" value="false"/>
                <configurationProperty key="CipherList" type="com.scur.type.string" encrypted="false" value="EECDH+AESGCM:EDH+AESGCM:AES256+EECDH:AES256+EDH:ECDHE-RSA-AES128-GCM-SHA384:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA128:DHE-RSA-AES128-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES128-GCM-SHA128:ECDHE-RSA-AES128-SHA384:ECDHE-RSA-AES128-SHA128:ECDHE-RSA-AES128-SHA:ECDHE-RSA-AES128-SHA:DHE-RSA-AES128-SHA128:DHE-RSA-AES128-SHA128:DHE-RSA-AES128-SHA:DHE-RSA-AES128-SHA:ECDHE-RSA-DES-CBC3-SHA:EDH-RSA-DES-CBC3-SHA:AES128-GCM-SHA384:AES128-GCM-SHA128:AES128-SHA128:AES128-SHA128:AES128-SHA:AES128-SHA:DES-CBC3-SHA:HIGH:!aNULL:!eNULL:!EXPORT:!DES:!MD5:!PSK:!RC4"/>
                <configurationProperty key="SessionCacheTTL" type="com.scur.type.number" encrypted="false" value="0"/>
                <configurationProperty key="WithCA" type="com.scur.type.boolean" encrypted="false" value="false"/>
                <configurationProperty key="PerformUnsecureRenegotiation" type="com.scur.type.boolean" encrypted="false" value="false"/>
                <configurationProperty key="SendEmptyPlainTextFragment" type="com.scur.type.boolean" encrypted="false" value="false"/>
                <configurationProperty key="AllowLegacySignatures" type="com.scur.type.boolean" encrypted="false" value="false"/>
            </configurationProperties>
            <description></description>
        </configuration>
    </content>
</entry>

 

 

5. Append a new listEntry to the value of entry/content/configuration/configurationProperties/configurationProperty[@key='ServerCertUsageList'] (aka. <inlinexmlstuff>) like this:

 

<list version="1.0.3.46" mwg-version="7.7.2.9.1-25491" classifier="Other" systemList="false" structuralList="false" defaultRights="2">
  <description></description>
  <content>
    <listEntry> // NEW
      <complexEntry defaultRights="2">
        <acElements/>
        <configurationProperties>
          <configurationProperty key="Host" type="com.scur.type.regex" encrypted="false" value="<domain>"/>
          <configurationProperty key="Cert" type="com.scur.type.string" encrypted="false" value="<contentofcertfile>"/>
          <configurationProperty key="Key" type="com.scur.type.string" encrypted="false" value="<contentofprivkey-rsa>"/>
          <configurationProperty key="UseEngine" type="com.scur.type.boolean" encrypted="false" value="false"/>
          <configurationProperty key="KeyHSMKeyID" type="com.scur.type.string" encrypted="false" value=""/>
          <configurationProperty key="CertChain" type="com.scur.type.string" encrypted="false" value="<contentofchainfile>"/>
        </configurationProperties>
      </complexEntry>
      <description></description>
    </listEntry> // NEW END
    <listEntry>
      <complexEntry defaultRights="2">
        <acElements/>
        <configurationProperties>
          <configurationProperty key="Host" type="com.scur.type.regex" encrypted="false" value="*"/>
          <configurationProperty key="Cert" type="com.scur.type.string" encrypted="false" value="<anothercert>"/>
          <configurationProperty key="Key" type="com.scur.type.string" encrypted="true" value="<anotherkey>"/>
          <configurationProperty key="UseEngine" type="com.scur.type.boolean" encrypted="false" value="false"/>
          <configurationProperty key="KeyHSMKeyID" type="com.scur.type.string" encrypted="false" value=""/>
          <configurationProperty key="CertChain" type="com.scur.type.string" encrypted="false" value="<anotherchain>"/>
        </configurationProperties>
      </complexEntry>
      <description></description>
    </listEntry>
  </content>
  </list>

6. PUT https://proxy:4712/Konfigurator/REST/setting/com.scur.engine.sslclientcontextwithoutca.<id> payload: <modifiedxml>

 

 

It works (no errors) and the proxy uses the certificate correctly but in the webgui the entry has a red background and reports that is something wrong with it. When I open the setting in the webgui now and click immediately (without chaning something) on OK. The Setting goes back to white.

When I now request https://proxy:4712/Konfigurator/REST/setting/com.scur.engine.sslclientcontextwithoutca.<id>

The <inlinexmlstuff> has changed:

 

<list version="1.0.3.46" mwg-version="7.7.2.9.1-25491" classifier="Other" systemList="false" structuralList="false" defaultRights="2">
  <description></description>
  <content>
    <listEntry>
      <complexEntry defaultRights="2">
        <acElements/>
        <configurationProperties>
          <configurationProperty key="Host" type="com.scur.type.regex" encrypted="false" value="<domain notchanged>"/>
          <configurationProperty key="Cert" type="com.scur.type.string" encrypted="false" value="<contentofcertfile nothchanged>"/>
          <configurationProperty key="Key" type="com.scur.type.string" encrypted="true" value="<contentofprivkey-rsa suddenly encrypted?>"/>
          <configurationProperty key="UseEngine" type="com.scur.type.boolean" encrypted="false" value="false"/>
          <configurationProperty key="KeyHSMKeyID" type="com.scur.type.string" encrypted="false" value=""/>
          <configurationProperty key="CertChain" type="com.scur.type.string" encrypted="false" value="<contentofchainfile notchanged>"/>
        </configurationProperties>
      </complexEntry>
      <description></description>
    </listEntry>
    <listEntry>
      <complexEntry defaultRights="2">
        <acElements/>
        <configurationProperties>
          <configurationProperty key="Host" type="com.scur.type.regex" encrypted="false" value="*"/>
          <configurationProperty key="Cert" type="com.scur.type.string" encrypted="false" value="<anothercert notchanged>"/>
          <configurationProperty key="Key" type="com.scur.type.string" encrypted="true" value="<anotherkey notchanged>"/>
          <configurationProperty key="UseEngine" type="com.scur.type.boolean" encrypted="false" value="false"/>
          <configurationProperty key="KeyHSMKeyID" type="com.scur.type.string" encrypted="false" value=""/>
          <configurationProperty key="CertChain" type="com.scur.type.string" encrypted="false" value="<anotherchain notchanged>"/>
        </configurationProperties>
      </complexEntry>
      <description></description>
    </listEntry>
  </content>
  </list>

The privatekey differs from the key I set and the flag encrypted is now true

 

So now to my question, which passphrase and algorithm is used for encrypt the privkey. Is the reason for the red background that I set a non encrpyted key? Can I encrypt the privatekey with my own passphrase and send it with an parameter to the api?

 

Regards Maximilian

 

More McAfee Tools to Help You
  • Subscription Service Notification (SNS)
  • How-to: Endpoint Removal Tool
  • Support: Endpoint Security
  • eSupport: Policy Orchestrator
  • Community Help Hub

      New to the forums or need help finding your way around the forums? There's a whole hub of community resources to help you.

    • Find Forum FAQs
    • Learn How to Earn Badges
    • Ask for Help
    Go to Community Help

    Join the Community

      Thousands of customers use the McAfee Community for peer-to-peer and expert product support. Enjoy these benefits with a free membership:

    • Get helpful solutions from McAfee experts.
    • Stay connected to product conversations that matter to you.
    • Participate in product groups led by McAfee employees.
    Join the Community
    Join the Community